The Chapter members are interested in research projects covering the following topics:

Android security

Mobile malware analysis

Computer forensics

IPv6 Honeypots

Malware analysis

underground economy

Distributed honeynet deployment, operation and data analysis

DEPLOYMENTS

Artemis distributed honeypot on CERNET

1. deployed nearly thirty virtual honeypot on CERNET, integrating Dionaea, Kippo, Glastopf and Spampot, using XMPP to collect the captured logs, and extend carniwwwhore as the WebUI
2. We are replacing XMPP with HPFeeds, and adding the support of IPv6. Rewriting the backend with HPFeeds, MongeDB and Djongo.

RESEARCH AND DEVELOPMENTProjects

1. Chinese Underground Economy Investigation, we released the investigation report in both English and Chinese, to reveal the security threats raised by underground economy to the public, and attract many attentions from the media, industry, public and the government in China.

2. Artemis distributed honeypot deployment and operation, we have a small funds from MIIT of China to built and operate a POC IPv6 distributed darknet/honeynet with four nodes.

GSoC'11 Tools

1. APKInspector, Developed by Cong Zheng, Mentored by Ryan Smith, The goal of this project is to aide analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code. The primary focus of this project is to provide a visualization layer that’s typically missing in existing Android reverse engineering tools, as well as to create a unified platform that combines several existing Android reverse engineering tools into a single unified view and context. For example this would include taking the control flow graph output from Androguard and unifying it with the code output from apktool, or dex2jar.

2. AxMock, developed by Youzhi Bao, Mentored by Ian Welch, Capture-AxMock is a tool for monitoring the behaviour of ActiveX controls that are referenced from webpages, it can also be used to emulate the behaviour of ActiveX controls that are not currently installed.

GSoC'12 Tools

1. DriodBox's APIMoinitor, developed by Kun Yang, Mentored by Patrik Lantz, Android is upgrading in a fast speed. To avoid endless porting of DroidBox, we changed the way to do dynamic analysis. Instead of hooking systems, we interpose APIs in APK files and insert monitoring code. By running the repackaged APK, we can get API call logs and understand APK's behavior.

2. APKInspector improvement, developed by Yuan Tian, Mentored by Cong Zheng, The updated version of APKInspector is a powerful static analysis tool for Android Malicious applications. It provide convenient and various features for smartphone security engineers. With the sensitive permission analysis, static instrumentation and easy-to-use graph-code interaction .etc, they can get a thorough and deep understanding of the malicious applications on Android.

3. 6Guard, an IPv6 attack detector, developed by Weilin Xu, Mentored by Ryan Smith, 6Guard is an IPv6 attack detector aiming at link-local level security threats, including most attacks initiated by the THC-IPv6 suit and the advanced host discovery methods used by Nmap. It can help the network administrators detect the link-local IPv6 attacks in the early stage.

Jianwei Zhuge, Investigating China’s Online Underground Economy. Conference on the Political Economy of Information Security in China, San Diego, US, Apr, 2012. Also given at ICSI Berkeley, Baidu and MPS of China.

The goal of our chapter of the following year is:
1. to develop artemis distributed honeynet with full support of IPv6 and deploy the honeynet in major campus in China mainland, and start the security data collection, analysis, and incident response.
2. continue the research on android security, underground economy, malware analysis and publish high-quality papers/presentations.
3. enrich our interaction and collaboration with the worldwide information security community, and increase our influence.